Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    27/06/2024, 01:07

General

  • Target

    32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe

  • Size

    136KB

  • MD5

    44dbf53170b964b9da3f2bca8dad30c0

  • SHA1

    a7f03af3ae3decfba18e38d915252bbb9ff79b4c

  • SHA256

    32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891

  • SHA512

    7076a0cdd5ce698eb9532ad3adc23491f771e3a9f00c6e8e3a674ce54fe63e3e461a08da220e63debc372ede25d9d144e9918c7a8acf4fa16bf4af7bd94fbef4

  • SSDEEP

    1536:S4+aEpOwd/VxDy/5X2++jCx3kdjKsPGR7ehp3vmLvsZIZwTcNhLx8bZJLtgliY4V:obpDCw1p3vmLvsZIaVvq7TW

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 3 IoCs
  • Adds policy Run key to start application 2 TTPs 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\32b045975ccefb955d07c1bcb892dc17adcbb1d39d604780dcbf81fed4941891_NeikiAnalytics.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\SysWOW64\REG.exe
      REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
      2⤵
      • Impair Defenses: Safe Mode Boot
      • Modifies registry key
      PID:1564
    • C:\Users\Admin\AppData\Local\Temp\avscan.exe
      C:\Users\Admin\AppData\Local\Temp\avscan.exe
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Users\Admin\AppData\Local\Temp\avscan.exe
        C:\Users\Admin\AppData\Local\Temp\avscan.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2748
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c c:\windows\W_X_C.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\windows\hosts.exe
          C:\windows\hosts.exe
          4⤵
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2564
          • C:\Users\Admin\AppData\Local\Temp\avscan.exe
            C:\Users\Admin\AppData\Local\Temp\avscan.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:784
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c c:\windows\W_X_C.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2940
            • C:\windows\hosts.exe
              C:\windows\hosts.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1696
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
              6⤵
              • Adds policy Run key to start application
              PID:1060
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:2972
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1540
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:768
          • C:\Windows\SysWOW64\REG.exe
            REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
            5⤵
            • Modifies registry key
            PID:1220
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
          4⤵
          • Adds policy Run key to start application
          PID:2728
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:308
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:3052
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:3068
      • C:\Windows\SysWOW64\REG.exe
        REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
        3⤵
        • Modifies registry key
        PID:2232
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\windows\W_X_C.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\windows\hosts.exe
        C:\windows\hosts.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2520
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Windows\W_X_C.vbs"
        3⤵
        • Adds policy Run key to start application
        PID:2812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    320KB

    MD5

    413a908a2749b133288e0118b2f35ce6

    SHA1

    e2160c7b9e7efbae944d2634b49526a47a60fd41

    SHA256

    4fb8e97d8040e4c0333db19b17c1b25f7047f93c097f81494dd9fb92ed4ebc37

    SHA512

    18ac4dfa016235532df2625014a84348def86b52c277bf11ffbd423cdd704e50ec406388a51d4bc03d50ef9951c9ba4dec0b89146086e35d1da5fc79e76db332

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    456KB

    MD5

    d0b12d5451f835decd0a7fb43df00059

    SHA1

    68e32c482bc4b41d69e78545c794fd2db8b3855d

    SHA256

    8a6ca68ee99f84b0a610de545091f2fd2516eecb7babfba2a3620c0178c1a171

    SHA512

    dcbd01368fcfd3d8d2858eb3274720a5bdf808be81a64766232d0ee5ea1224399f65688534e0f2dac445031af138d41e7c13a165fa5add02a010564cd96ca037

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    592KB

    MD5

    8592f83f38319420e37971c537d1201a

    SHA1

    baacdfc4095d3b30eb4a4372820d7d6c693452f7

    SHA256

    1a6682988d7a6b8eba67d75f57b278e6507078dbeeaf007175d735bf5d866cbd

    SHA512

    32ff760e660ddf898ee8150ab3db4093250ba52fdb5d3ba377892fdc41f156d2c0d3ee0dd09357f29db117cde7231f98791a9249573c5c2b5c1b672e1fd8acdb

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    728KB

    MD5

    509df21a9e5e0f6ed190de6e2f71763f

    SHA1

    3552770594fff4a704e17403e994806c1801823a

    SHA256

    0a3e80a596901fe18e6d16a6fb689cfaa4ca1a06f97d721c76a47f54b5615d82

    SHA512

    6652d24a2942576758c3828322645a804e2f15203275eb2f1d50fab7bb17c5a2ae85921c7aaf070400db3897b73f68275453d5f4cc9f45097b0bc0b88db6749b

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    864KB

    MD5

    6a9982eda6791a4871e1f7671c1a4521

    SHA1

    5415ff7bfd9d90f2442b19ef8d8ac1ca9ae5bafa

    SHA256

    2df6d1fade3ff094dc08a4b5b547a1f32d0f26b6c67091f2f6d5d73710cbd1bc

    SHA512

    76d2c1e5ee89c13a5254c26a9cf87cecf12134b5f459eb5d520a4f744300481133667f8f6f0f12e0aef80217acb176e9f4d36b3d67211bdc6450fa744a8d4cc2

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    1.1MB

    MD5

    7bd365e7c1fa448643e6fb34580ce230

    SHA1

    8dae7d4248fdadf053f50d341e17c23ffc8cf31c

    SHA256

    37d3c96d6cd4d07dcb73a32f239caaf1e73a62aa7d80663648c5dff5c843fd0b

    SHA512

    679a5524a988248e275a1cb7633e427b7b91d402e515712e3fc2f176ce103a94bec31ec6a54342bb70fec6b5c29ac369662352dc5a7a765d853ab24b52df1a92

  • C:\Users\Admin\AppData\Local\Temp\Admin.bmp

    Filesize

    1.1MB

    MD5

    6e2bd7ab748c5767936cb689a0baac36

    SHA1

    20a8243288b388b5986d85b3fd083b5ce01a326a

    SHA256

    7618af0d1f217c321fdfdcf6f27ae7f20a7dcac897141e36d33b20dca01cf4bd

    SHA512

    7f25af9d342075c6cdb8f7dab696f305e1aae11b2ec2b971f22c6be29202a9bda8ac0724e44e716a5512616fabccb3aad0911d009ea2849559cfb36e1786e8d7

  • C:\Windows\W_X_C.vbs

    Filesize

    195B

    MD5

    f6c84b0b807d9c88dadd87289cbd9a71

    SHA1

    0ce2e8163c8b9bf6e56f6d819084d876821f8002

    SHA256

    73601c28154e4bbfcc10d4632aa75447ee9c97aebc599b9128fb0024af8939ac

    SHA512

    bf68dd033feba173231c07ca6beeba95c464d8ee226a957066901eccecfd771f457b59b475313fedd56856958fc575c14241bada16919b2400e6aa105d13849c

  • C:\Windows\hosts.exe

    Filesize

    136KB

    MD5

    73158f7a6a769b4e715e5b24de075299

    SHA1

    e469af2d1d21dfebfb1662bfb5fbdfa164e3e581

    SHA256

    4165eb28aa94d3c28279a07e1d8fc1b83a40d5393b1ff3fe69ae8ba52957fce6

    SHA512

    6db24e68b11728a8147de87133f76fd6270e8cb0032a14d2416e15cdb338c5ff9cf28d7c23ad2ace6defc412eecadbe0e827d0bc5a6b91a840519f74306026f5

  • \??\c:\windows\W_X_C.bat

    Filesize

    336B

    MD5

    4db9f8b6175722b62ececeeeba1ce307

    SHA1

    3b3ba8414706e72a6fa19e884a97b87609e11e47

    SHA256

    d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78

    SHA512

    1d6dc274cf7a3dd704f840e6a5ad57ab4c4e35d5f09489aeff520bb797e1c825bac53fc335156fe41e767a46520d031855fe42fe7b175409ebe5e9e986fb9b8b

  • \Users\Admin\AppData\Local\Temp\avscan.exe

    Filesize

    136KB

    MD5

    a93007fde3976ec7e44c525bacc7069c

    SHA1

    fc33a8700145f93d0ce54f310cf3b8c355125238

    SHA256

    6acfa6368c62f8fc318462b013cd9fcec781be03386dc2f5bef41cb2ba3fa6d8

    SHA512

    73e807f44cd9d8c588951a20ab56bb0c3efd3932b363517bafa69a7c28d4b0aafd08afd445c4bf75478c57065ae0614f75d0b767405a8d758aad1db6c33375f6

  • memory/2784-63-0x00000000023B0000-0x00000000024B0000-memory.dmp

    Filesize

    1024KB

  • memory/2784-62-0x00000000023B0000-0x00000000024B0000-memory.dmp

    Filesize

    1024KB